Fined €20m or 4% of annual global revenue? Whoa!!!

Fines issued by the Information Commissioner’s Office (ICO)

Since Europe’s implementation of the world’s most stringent data protection policies, known as General Data Protection Regulation (GDPR), European regulators have been granted significantly more power to persecute and fine non-compliant actors. The role of enforcing the new regulation within the UK is that of the Information Commissioner’s Office (ICO)- who have already proven that they will not be holding back when it comes to punishing non-compliance. With their newfound ability to issue fines of up to €20m or 4% of an organization’s annual turnover, the cost of data protection mishaps is potentially huge.

It has become painfully clear that effective data protection must begin with verifiably secure technological foundations. However, these foundations are woefully lacking in the traditional corporate environment; commonly utilized data management and transfer systems are highly vulnerable to human error and malicious actors. In this environment, consistent compliance of data protection requirements cannot be confidently achieved- data mismanagement (and the ensuing wrath of the regulators) is merely a matter of time. Organizations of all sizes are understandably crying out for a solution.

Loyakk is answering the call through the creation of the Loyakk Vega platform, which will leverage blockchain technology to enable new functional and collaborative opportunities within business networks- in the process facilitating a level of verifiably confident data management never before possible in the pre-blockchain era. Confidently compliant data protection practices will enable organizations to collaborate and thrive- without the continuous threat of huge regulatory penalties impeding progress. Welcome to the era of blockchain-powered data management.

So, who has been fined so far?

Though many recent proceedings have centered around instances of data protection failures occurring before GDPR implementation (and thus the violators penalized under the more lenient 1998 Data Protection Act), regulatory bodies tasked with enforcing the new legislation are proving extremely active when it comes to identifying and punishing non- compliant actors. The slightest violation of any of the wide-ranging data protection requirements, ultimately designed to provide greater protection and rights of individuals over their own personal data, can bring down the full wrath of the regulators onto any non- compliant organization.

The ICO and their European counterparts have acted swiftly and decisively against violators regardless of the size, weight and even the location of the organization in question; non-EU established data ‘possessors’ and ‘processors’ are equally subject to GDPR if they offer goods and/or services to citizens within the EU.

ICO targets so far include some of the largest corporate giants:

• TalkTalk: In October 2016, before the introduction of GDPR, TalkTalk was issued with a record fine of £400,000 for failing to protect itself against a well-known SQL injection cyber-attack which exposed the personal details of more than 150,000 of its customers.
• Equifax: The credit rating agency was fined £500,000 in September 2018 after falling victim to an enormous data breach by hackers, during which the firm failed to protect the personal data of 15m UK customers. Luckily for Equifax, due to the timing of the breach falling before GDPR implementation, they could only be fined a maximum of £500,000 under the 1998 Data Protection Act.
• Facebook: Following the Cambridge Analytica scandal, revolving around the non- permissioned access of application developers to the personal data of upwards of 1m UK users, the social media giant was fined a cautionary £500,000 in October 2018. Again, due to the timing of the breach Facebook narrowly missed an inevitably much heavier fine under GDPR.
• Google: Google’s recent data protection troubles illustrate clearly the severity of the change to penalties under the new regulation as opposed to the old; having been issued a whopping fine of €50m by French regulator CNIL, Google is now under investigation by the ICO after a number of complaints have been raised regarding the corporation’s policy of ‘forced consent’ through requiring access to data collection for the use of their affiliated apps (such as Gmail). This case may set an extremely important precedent in the wider battle of traditional corporate operational business models vs the new push for consumer data autonomy, but the outcome is yet to be seen.

It has been clearly demonstrated that no organization is beyond the firing-line of the regulators when it comes to mishandled data protection. However, the ever-present threat of harsh penalties alone has far from ushered in a new era of effective data protection; in fact, the number of data protection complaints received by the ICO reportedly more than doubled in the months following the implementation of GDPR.

The threat of punishment, no matter how harsh, cannot overcome the fundamental flaws in current corporate data management.

How easy is it to fall under non-compliance? A practical example

When a data breach occurs, it can be devastating both to the individuals affected and to the organization responsible for safeguarding their data. Not only can such situations cause potential financial, social and/or personal ruin for each person whose data was exposed, but such security breaches often result in irreparable damage to company reputation and a heavy loss of consumer trust.

Combined with the threat of a significant fine, it’s clear that every party is highly incentivized to avoid such situations- and yet they are still an all too common occurrence. Why? The simple answer is- human error combined with technological weaknesses.

Take, for illustration, the example of a customer of a medical healthcare provider wishing to change their supplier:

The customer, being conscious of data security, asks the supplier to remove their details from any company records. Accordingly, the supplier agrees and confirms that all of the individual’s personal data has been removed from all relevant company systems- not a trace of the customer is left with the medical supplier themselves. However, the supplier’s outbound marketing is being handled by a third-party whose separate systems have not accounted for the customer’s request to be forgotten, and as a result, the customer receives a routine marketing email multiple months later from the third-party, on behalf of the medical supplier.

Small mistake… big problem!

Even in a scenario such as this, resulting from an honest mistake and carried out by a third- party, organizations are liable to receive the full force of regulatory scrutiny and potential fines of up to €20m or 4% of an organization’s annual turnover (whichever is greater). The severity of the fine reflects the severity of the violation, but even for ‘minor’ data protection mishaps, fines can reach €10m or 2% of turnover. “Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use”, Information Commissioner Elizabeth Dunham recently stated during her latest speech. Enforcing accountability is clearly top of the agenda for the ICO.

The key, therefore, is for organizations to acknowledge this accountability and proactively act to adapt their operations to effectively counter the threat of data-related mismanagement. If the two parties in the above example were using the Loyakk Vega platform for data management of the medical provider’s email database, for example, their mishap would have been a technical impossibility; with the ability to share and update data seamlessly within the wider business networks using a shared ledger, organizations using

Loyakk Vega can be verifiably confident that changes to confidential data records occur instantly across the board. This greatly negates the factors of technological weaknesses or human error which plague traditional marketing practices when it comes to effective GDPR compliance.

Traditional mechanisms lack the intrinsic ability to be confidently consistently compliant- what needs to be done?

A large aspect of the new data protection legislation revolves around actually protecting the data of individuals against data breaches of any kind- whether related to human error or malicious activity. The inherent inevitability of human error alongside the weaknesses of traditional systems in terms of data management and transfer have therefore become potentially crippling problems. Combined with the fact that an organization can be penalized for the failure of its operational partners, this creates a situation in which there are a plethora of potential points of failure and thus regulatory violation- many of which, furthermore, are outside of the direct influence of organizations.

In short, traditional business procedures are inherently flawed when it comes to confidently compliant data management practices across an entire corporate entity (let alone company boundaries). This is the motivation for the creation of the next-gen Loyakk Vega platform, which is leveraging blockchain technology to enable new functional and collaborative opportunities within business networks. Aside from enabling next-gen business relationship management, Loyakk Vega will facilitate new levels of security and functionality within the data transfer process, making ultra-secure, permissioned and verifiable movement of confidential data as seamless as sending an email.

In the new regulatory environment, an organization’s reliance on unreliable archaic means of data management and transfer puts them at perpetual risk of non-compliance and a hefty penalty. The new era of enhanced data protection will therefore require the next generation of business interaction mechanisms, in which Loyakk is currently pioneering the way on the mission to revolutionize business networks.

Exactly how this is to be achieved in the area of data management will be explored in our next post.

Article Written by Shane Latham